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(54) CRACKER MONITOR SYSTEM 



(57)Abstract: 

PROBLEM TO BE SOLVED: To provide a cracker 
monitor system that can automatically detect an attack 
from a cracker on a network and protect the network 
from the attack by the cracker in spite of a simple 
system configuration without limiting the communication 
as required or over and the need for a labor by a skillful 
engineer. 

SOLUTION: An entrance of a LAN 1 is provided with a 
sensor 5 that sequentially acquires an IP packet passing 
through the entrance. The sensor 5 senses various 
attacks from a cracker with respect to the LAN 1 on the 
basis of the acquired IP packet. Information with respect 
to the attacker sensed by the sensor 5 is given to a 
director 6 controlling a firewall 2. The director 6 controls 
the setting of the firewall 2 in response to the given 
information to block the IP packet relating to the sensed 
attack from entering the LAN 1 . 
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(Partial Translation) 
JP 2001-057554 A 

5 (Embodiment of the invention] 

[0008] An embodiment according to the present invention 
is explained with reference to Fig. 1, Fig. 1 is a diagram 
of a system configuration according to the present 
embodiment. In Fig. 1, numeral 1 is a LAN as a network. 

10 The LAN 1 is architectured with, for example, Ethernet, and 
a plurality of hosts (computers) (not shown) are connected 
via an Ethernet cable, hub, and the like. An Ethernet card 
for connecting to the Ethernet cable, software for 
performing TCP/IP processing, various application software 

15 that run on the TCP/IP (for example, telnet, ftp, and smtp) 
are implemented in each of the hosts, enabling 
communication based upon the IP. The LAN 1 is not limited 
to the architectured network on the Ethernet, however any 
architecture mode such as token ring and the like can be 

20 employed. In the system according to the present 

embodiment, a computer 2 having a function of a firewall as 
a packet filter (hereinafter, simply "firewall 2 for the 
computer 2") is arranged at an entrance for the LAN1. The 
LAN1 is connected to an internet 3 via the firewall 2. The 

25 firewall 2 has a file (hereinafter, "filter setting file") 
in which data is written for defining what type of IP 
packet is prohibited for entering into the LAN 1. When the 
type of the IP packet that is prohibited for entering into 
the LAN 1 is sent from a side of the internet 3 by the 

30 filter setting file, the IP packet is discarded to block 
the entry into the LAN 1. When the IP packet that is not 
prohibited for entering into the LAN 1 is sent by the 
filter setting file, the IP packet is transferred to the 
LAN 1. A hub 4 is mounted between the firewall 2 and the 
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internet 3, and a sensor 5 having a function as an attack 
detecting unit is connected to the hub 4. Furthermore, a 
director 6 having a function as a processing unit that 
controls the firewall 2 is connected to the sensor 5. The 
5 sensor 5 and the director 6 are respectively configured 

with a computer. The sensor 5 is, for example, configured 
with an NIX machine and connected to the hub 4 via the 
Ethernet card 7. In this case, software called TCP DUMP is 
implemented in the sensor .5. The TCP DUMP enables 

10 acquiring (hearing) all IP packets that pass through the 
hub 4 via the Ethernet card 7. The sensor 5 stores and 
retains each of the acquired IP packets and the time data 
indicative of time at which the IP packet is acquired in 
hard disk (not shown) . If the total number of the IP 

15 packets stored in the hard disk reaches the predetermined 
allowable capacity, the sensor 5 deletes the oldest IP 
packet to store newly acquired IP packet in the hard disk. 
Furthermore, the sensor 5 does not have an IP address and 
can receive (load) only the IP packet by setting the 

20 software not to be responsive to the response-requesting 

packet to be sent such as ARP (Address ResolutionProtocol) , 
RARP (Reverse AdressResolution Protocol), and the like. 
Moreover, software (hereinafter, "attack detecting 
algorithm) for detecting the first to sixth type attacks 

25 mentioned above are implemented in the sensor 5. The 
attack detecting algorithm can be implemented in the 
director 6 allowing the sensor 5 to perform processing the 
attack detecting algorithm while sending and receiving date 
to and from the director 6. Software (hereinafter, "filter 

30 control algorithm) that controls the firewall 2 is 

implemented in the director 6. In this case, the filter 
control algorithm rewrites the date of the filter setting 
file depending upon the attack detected by the sensor 5 to 
control the firewall 2. Next, operation according to the 



present embodiment is explained. The sensor 5 performs the 
following processing per predetermined cycle time while 
storing the acquired IP packet in the hard disk. That is, 
a plurality of the IP packets for the predetermined time 
interval are classified (sorted) per value of source IP 
address and value of destination IP address to be loaded 
into a memory (not shown) . In other words, out of the IP 
packets for the predetermined time interval, the IP packets 
having the identical source IP address are consolidated and 
the IP packets having the identical destination IP address 
are consolidated to be loaded into the memory (hereinafter, 
a consolidated set of the IP packets is referred to as "IP 
packet group"). A plurality of the IP packets loaded into 
the memory are processed for attack detection that is 
mentioned later and then the IP packets are deleted from 
the memory. In this case, the IP packets to be loaded into 
the memory are IP packets that are acquired after 
predetermined time elapses since acquiring the oldest IP 
packet in the IP packets loaded into the memory in the 
previous cycle time. The processing for attack detection 
by the sensor 5 in each cycle time is performed in the 
following manner based upon the attack detection algorithm. 
The sensor 5 processes detecting, for example, the first 
type attack out of the first to sixth attacks, namely port 
scanning. In this processing, for each IP packet group 
that has the identical source IP address and the source IP 
address is for an external from the LAN 1 in the IP packets 
loaded into the memory as described above, the sensor 5 
extracts value (IP address value belonging to LAN 1) for 
all the destination IP addresses held by the IP packets 
that are included in the each IP packet group. Thereafter, 
for each value for the destination IP address extracted in 
the above each IP packet group, the sensor 5 counts the 
number of the IP packets that are acquired in predetermined 



continuous time (for example, within 30 seconds), and that 
have the identical destination IP address to the value for 
the above destination IP address from the IP packet group 
(IP packet group of the identical source IP address) having 
5 different destination port number in the TCP header or the 
UDP header. When the counted number reaches the 
predetermined number (for . example, 20), the sensor 5 
detects attacking of port scanning and sends the data 
indicative of the attack together with value data 
10 (hereinafter, "first type attack detection data") for the 
source IP address of the IP packet group on which the 
attack is detected to the director 6. Such processing is 
performed sequentially for all IP packet groups having the 
identical source IP address that does not belong to LAN 1. 
15 In the present embodiment, detection of port scanning is 
performed by counting the number of the IP packets having 
different port numbers, however the detection of port 
scanning can be performed by the following processing. 
Namely, for each IP packet group having the identical 
20 source IP address and the source IP address is for an 

external from the LAN 1, by extracting value for all the 
destination port numbers held by the IP packets that are 
included in the each IP packet group, the number of the IP 
packets that are acquired within predetermined continuous 
25 time and that have the identical destination port number to 
the value for the above destination port number and have 
different destination IP addresses is counted from the IP 
packet group with the extracted destination port number 
with respective to each value of the extracted destination 
30 port number. When the counted number reaches the 

predetermined number, port scanning is detected. On the 
other hand, the director 6 that is provided with the first 
type attack detection data from the sensor 5 rewrites the 
filter setting file of the firewall 2 to block the entry of 
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the IP packets that have the identical source IP address to 
the source IP address included in the first type attack 
detection data for predetermined time (for example, for 
five minutes) from the present time. In this time, upon 
5 receiving the IP packets having the source IP address from 
the internet 3, the firewall 2 discards the IP packets to 
block the entry thereof into the LAN 1, whereby the LAN 1 
is protected from the attack of port scanning. If the 
director 6 is again provided with the first type attack 
10 detection data identical to the first type attack detection 
data that is previously provided before predetermined time 
(five minutes) elapses, the director 6 controls the 
firewall 2 to block the entry of the IP packets from the 
source IP address of the first type attack detection data 
15 into the LAN 1. Accordingly, unless attacking of port 
scanning continues, the IP packets from the source IP 
address cannot enter into the LAN i. If the director 6 is 
not provided with the first type attack detection data 
again within the predetermined time (five minutes), 
20 blocking of the entry into the LAN 1 by the IP packets from 
the IP source address of the first type attack detection 
data is released. In this manner, after the sensor 5 
completes processing for detecting an attack of port 
scanning, the sensor 5 performs processing for second type 
25 attack detection (SYN FLOOD) . In this processing, for the 
IP groups having the identical destination IP address, the 
sensor 5 sequentially extracts the IP packets for SYN 
included in the each IP packet group having the destination 
IP address that belongs to LAN 1 in chronological order of 
30 acquiring thereof. Thereafter, the sensor 5 checks whether 
the IP packets for SYN acquired within predetermined time 
(for example, 2 seconds) from the time acquiring the 
extracted IP packets for each SYN present in the IP packet 
group having the identical destination address. In case of 



5 



presence, the sensor 5 counts the number of the IP packets 
for SYN including the previously extracted IP packets for 
SYN. Moreover, for the counted IP packets for SYN, the 
sensor 5 checks whether the IP packets for ACK 
5 corresponding to respective IP packets for SYN {IP packets 
for ACK having the identical source IP address to that for 
the IP packets for the SNY, and having the next sequence 
number to the sequence number in the TCP header for the IP 
packets for the SYN) that are acquired within the 
10 predetermined time {2 seconds) from the time for acquiring 
the IP packets for the SYN present in the IP packet group 
having the identical destination address. In case of 
presence, the number of the counts is decremented by one 
for every time, if the count is equal to or greater than 
15 the predetermined number (for example, 16) at the time of 
finally' completing checking of the presence of the 
corresponding IP packets for ACK, an attack of SYN FOOD is 
detected and the data indicative of such attack and the 
value data for the source IP address and the value data for 
20 the destination IP address (hereinafter, "second type 

attack detection data") of the IP packets for SYN for which 
the attack is detected are provided to the director 6. 
Such processing is performed sequentially for all IP packet 
groups having the identical destination IP address that 
25 belongs to LAN 1, In the present embodiment, detection of 
SYN FLOOD is performed based upon the number of the IP 
packets for SYN, however the detection of SYN FLOOD can be 
performed by the following processing. Namely, for each IP 
packet group having the identical source IP address that 
30 belongs to the LAN 1, IP packets for SYN/ACK included in 

the IP packet group are extracted in chronological order of 
acquiring thereof. Thereafter, the sensor 5 checks whether 
the IP packets for SYN/ACK acquired within the 
predetermined time (for example, 2 seconds) from the 'time 
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of acquiring the extracted IP packets for each SYN/ACK 
present in the IP packet group having the identical source 
address. In case of presence, the sensor 5 counts the 
number of the IP packets for SYN/ACK including the 
5 previously extracted IP packets for SYN/ACK. Moreover, for 
the respective IP packets for SYN/ACK, the sensor 5 checks 
the IP packet group having the identical destination 
address to that for the source IP address for presence of 
the IP packets for ACK corresponding to the IP packets for 

10 the SYN/ACK {IP packets or ACK having the identical 

destination IP address to the source address for the IP 
packets for the SYN/ACK, and having the next ACK number to 
the sequence number in the TCP header for the IP packets 
for the SYN/ACK) that are acquired within the predetermined 

15 time (2 seconds) from the time for acquiring the IP packets 
for the SYN/ACK present in the IP packet group. If such 
packets for ACK present, the number of the counts is 
decremented by one for every time. If the count is equal 
to or greater than the predetermined number (for example, 

20 16) at the time of finally completing checking of the 

presence of the corresponding IP packets for ACK, an attack 
of SYN FOOD is detected. In this case, the data to be 
provided to the director 6 form the sensor 5 are the data 
indicative of detection of the attack of SYN FOOD, the 

25 value data for the source IP address and the value data for 
the destination IP address of the IP packets for the 
SYN/ACK. In this case, the value data for the source IP 
address and the value data for the destination IP address 
of the IP packets for SYN/ACK respectively correspond to 

30 the value data for the source IP address and the value data 
for the destination IP address of the IP packets for SYN in 
the aforementioned second type attack detection data. The 
director 6 that is provided with the second type attack 
detection data from the sensor 5 rewrites the filter 
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setting file of the firewall 2 to block the entry of the IP 
packets having the identical source IP address to the 
source IP address included in the second type attack 
detection data for predetermined time {for example, for two 
5 minutes) from the present time. Simultaneously, the 

director 6 rewrites the filter setting file of the firewall 
2 to block the entry of the IP packets having the identical 
destination IP address to the destination IP address 
included in the second type attack detection data for 

10 predetermined time {for example, for two minutes) from the 
present time. In this time, upon receiving the IP packets 
having the source IP address or the IP packets having the 
destination IP address from the internet 3, the firewall 2 
discards the IP packets to block the entry thereof into the 

15 LAN 1, whereby the LAN 1 is protected from the attack of 
SYN FLOOD and the host having the attacking target IP 
address can be resumed to the normal state without shutting 
down. Similarly to the case for detecting port scanning, 
if the director 6 is again provided by the sensor 5 with 

20 the second type attack detection data identical to the 
second type attack detection data that is previously 
provided before predetermined time (two minutes) elapses 
for eliminating the IP packets having the source IP address 
in the second type attack detection data, the director 6 

25 controls the firewall 2 to block the entry of the IP 
packets from the source IP address of the second type 
attack detection data into the LAN 1. The same can be 
applied to elimination of the IP packets having. the 
destination IP address in the second type attack detection 

30 data. Accordingly, unless attacking of SYN FLOOD continues, 
the IP packets from the source IP address associated with 
the attack or the IP packets from the destination IP 
address associated with the attack cannot enter into the 
LAN 1. For elimination of any one of the IP packets having 



the source IP address in the second type attack detection 
data or the IP packets having the destination IP address in 
the second type attack detection data, if the second type 
attack detection data is not provided to the director 6 
5 before the each corresponding predetermined time (for two 
minutes and for two seconds) elapses, blocking of the entry 
into the LAN 1 by the IP packets having the source IP 
address of the second attack detection data or IP packets 
having the destination IP address of the second attack 
10 detection data is released. In this manner, the sensor 5 
that completes processing detection of the attack of SYN 
FLOOD proceeds to processing detection of the third type 
attack (Teardrop) . In this processing, the sensor 5; 
sequentially extracts IP packets that are split 
15 (hereinafter, simply "split packets") and that are included 
in the each IP packet group having the identical 
destination IP address that belongs to the LAN 1. In this 
case, in IP, a certain flag in the IP header is one or the 
data that is so-called fragment offset has larger value 
20 than zero for the split packets, whereby the split packets 
can be found. The sensor 5 checks for presence of packets 
in the IP packet group identical to the split packets that 
are acquired within the predetermined time (for example, in 
five minutes) from the time of acquiring the extracted each 
25 split packets and the fragment offset value and the IP 
identification number in the IP header are identical to 
those for the split packets (split packets identical to the 
extracted split packets) . If such split packets present, 
the sensor 5 counts the number of the split packets 
'30 including the previously extracted split packets. If the 
count is equal to or greater than the predetermined number 
(for example, 80), an attack of Teardrop is detected and 
the data indicative of the attack, the value data for the 
source IP address of the split packets and the value data 



for the destination IP address (hereinafter, "third attack 
detection data") of the IP packets for which the attack is 
detected are provided to the director 6. Such processing 
is performed sequentially for all IP packet groups having 
5 the identical destination IP address that belongs to LAN 1. 
. The director 6 that is provided with the third attack 
detection data from the sensor 5 controls the firewall 2 in 
the same manner as the case for detecting the SYN FLOOD. 
In other words, the director 6 rewrites the filter setting 

10 file of the firewall 2 to block the entry of the IP packets 
having the identical source IP address to the source IP 
address included in the third type attack detection data 
into the LAN 1 for predetermined time (for two minutes) 
from the present time. Simultaneously, the director 6 

15 rewrites the filter setting file of the firewall 2 to block 
the entry of the IP packets that have the identical 
destination IP address to the destination IP address 
included in the third type attack detection data for 
predetermined time (for two minutes) from the present time, 

20 whereby the LAN 1 is protected from the attack of Treardrop 
and the host having the attacking target IP address can be 
resumed to the normal state without shutting down. In this 
manner, after the sensor 5 completes processing for 
detecting an attack of Treardrop, the sensor 5 performs 

25 processing for fourth type attack detection (LAND) . In 
this processing, from the each IP packet group having the 
destination IP address that belongs to the LAN 1 in the IP 
packet groups having the identical destination IP address, 
the sensor 5 extracts IP packets having the source IP 

30 address identical to the value for the destination IP 

address in the IP packet group. Furthermore, the sensor 5 
checks for presence of the IP packets that are acquired 
within the predetermined time (for example, in two minutes) 
from the time of acquiring the IP packets and that have the 



identical source IP address to that for the IP packets in 
the IP packet group having the destination IP address 
identical to that for the extracted IP packets. If such IP 
packets present, the number of the IP packets including the 
previously extracted IP packets is counted. If the count 
is equal to or greater than the predetermined number (for 
example, 6) , an attack of LAND is detected and the data 
indicative of the attack, the value data for the source IP 
address of the IP packets for which the attack is detected 
(hereinafter,- "fourth attack detection data") are provided 
to the director 6. Such processing is performed 
sequentially for all IP packet groups having the identical 
destination IP address that belongs to LAN 1. The director 
6 that is provided with the fourth attack detection data 
from the sensor 5 rewrites the filter setting file of the 
firewall 2 to block the entry into the LAN 1 by the IP 
packets that have the identical source IP address to the 
source IP address included in the fourth type attack 
detection data and that have the identical destination IP 
address to the source IP address for predetermined time 
(for example, for five minutes) from the present time. At 
this time, upon receiving the IP packets having the source 
IP address and the IP packets having the destination IP 
address from the internet 3, the firewall 2 discards the IP 
packets to block the entry thereof into the LAN 1, whereby 
the LAN 1 is protected from the attack of LAND. Similarly . 
to the case for detecting port scanning, if the director 6 
is again provided by the sensor 5 with the fourth type 
attack detection data identical to the fourth type attack 
detection data that is previously provided before the 
predetermined time (five minutes) elapses for eliminating 
the IP packets having the source IP address and the 
destination IP address identical to the source IP address 
in the fourth type attack detection data, the director 6 
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controls the firewall 2 to block the entry into the LAN 1 
by the IP packets having the source IP address and the 
destination IP address of the fourth attack detection data 
for the predetermined time (for five minutes) from the 
5 moment that the director 6 is provided with the fourth 
attack detection data. Accordingly, unless attacking of 
LAND continues, the IP packets having the source IP address 
and the destination IP address associated with attacking 
cannot enter into the LAN 1. If the fourth attack 
10 detection data is not provided, the director 6 releases the 
blocking of the entry into the LAN 1 by the IP packets 
having the source IP address and the destination IP address 
identical to the source IP address of the fourth attack 
detection data. 

15 [0009] In the present embodiment, the value data for the 
source IP address of the IP packets associated with the 
attack of LAND is made to be provided to the director 6 as 
the fourth attack detection data. Because the source IP 
address has the same value as that for the destination IP 

20 address of the IP packets associated with the attack of LAN, 
alternatively for the value data for the source IP address, 
the value for the destination IP address can be provided to 
the director 6. As mentioned above, after the sensor 5 
completes processing for detecting the attack of LAND, the 

25 sensor 5 performs processing for fifth type attack 

detection (acquiring password) . In this processing, for 
the IP groups having the identical destination IP address, 
the sensor 5 extracts IP packets that include the user name 
data and the password data for the host of the LAN 1 for 

30 the each IP packet group having the destination IP address 
that belongs to the LAN 1. The sensor 5 counts the number 
of the IP packets acquired within a predetermined 
continuous time (for example, within two minutes) having 
the identical user name data and different password data 



from the extracted IP packets. When the counted number is 
equal to or greater than the predetermined number (for 
example, 20), the sensor 5 detects a fifth type attack for 
acquiring a password and sends the data indicative of the 
attack together with the value data for the source IP 
address and the value data for the destination IP address 
(hereinafter, "fifth type attack detection data"} of the IP 
packets for which the attack is detected to the director 6. 
Such processing is performed sequentially for all IP packet 
groups having the identical destination IP address that 
belongs to LAN 1. The director 6 that is provided with the 
fifth attack detection data from the sensor 5 rewrites the 
filter setting file of the firewall 2 to block the entry 
into the LAN 1 by the IP packets that have the source IP 
address and the destination IP address identical to the 
source IP address and the destination IP address of the 
fifth type attack detection data for predetermined time 
(for example, for one hour) from the present time. At this 
time, upon receiving the IP packets having the source IP 
address or having the destination IP address from the 
internet 3, the firewall 2 discards the IP packets to block 
the entry thereof into the LAN 1, whereby the LAN 1 is 
protected from the fifth type attack aiming at acquiring 
the password. Similarly to the case for detecting port 
scanning, if the director 6 is again provided by the sensor 
5 with the fifth type attack detection data identical to 
the fifth type attack detection data that is previously 
provided before predetermined time (one hour) elapses for 
eliminating the IP packets having the source IP address and 
the destination IP address identical to those in the fifth 
type attack detection data, the director 6 controls the 
firewall 2 to block the entry into the LAN 1 by the IP 
packets having the source IP address and the destination IP 
address of the fifth attack detection data for the 
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predetermined time (one hour) from the moment that the 
director 6 is provided with the fifth attack detection data. 
Accordingly, unless the fifth type attack continues,- the IP 
packets having the source IP address and the destination IP 
address associated with the attacking cannot enter into the 
LAN 1. If the director 6 is not provided with the fifth 
type attack detection data again before the predetermined 
time (one hour) elapses, blocking of the entry into the LAN 
1 by the IP packets having the source IP address and the 
destination IP address of the fifth type attack detection 
data is released. In this manner, after the sensor 5 
completes processing for detecting the attack of LAND, the 
sensor 5 performs processing for sixth type attack 
detection (attacking through hole) . In the processing, for 
the IP packet groups having the identical destination IP 
address, the sensor 5 retrieves IP packets having, for 
example, "lpr" command as the printer logical name with a 
data size being equal to or greater than 128 characters for 
the each IP packet group having the destination IP address 
that belongs to LAN 1. If such IP packets are retrieved, 
the sixth type attacking on the through hole of the host of 
LAN 1 is detected, and the data indicative of the attack, 
the value data for the source IP address and the value data 
for the destination IP address of the IP packets for which 
the attack is detected (hereinafter, "sixth attack 
detection data") are provided to the director 6. The 
director 6 that is provided with the sixth attack detection 
data from the sensor 5 rewrites the filter setting file of 
the firewall 2 to block the entry into the LAN 1 by the IP 
packets having the source IP address and the destination IP 
address identical to the source IP address and the 
destination IP address of the sixth type attack detection 
data for predetermined time (for example, for six hours) 
from the present time. At this time, upon receiving the IP 

14 



packets having the source IP address or the destination IP 
address from the internet 3, the firewall 2 discards the IP 
packets to block the entry thereof into the LAN 1, whereby 
the LAN 1 is protected from the sixth type attack on the 
5 through hole of the host of the LAN 1. Similarly to the 
case for detecting port scanning, if the director 6 is 
again provided with the sixth type attack detection data 
identical to the sixth type attack detection data that is 
previously provided from the sensor 5 before the 

10 predetermined time {six hours) elapses for eliminating the 
IP packets having the source IP address and the destination 
IP address identical to those in the sixth type attack 
detection data, the director 6 controls the firewall 2 to 
block the entry into the LAN 1 by the IP packets having the 

15 source IP address and the destination IP address of the 

sixth attack detection data for the predetermined time (six 
hours) from the moment that the director 6 is provided with 
the sixth attack detection data. Accordingly, unless the 
sixth type attack continues, the IP packets having the 

20 source IP address and the destination IP address associated 
with the attacking cannot enter into the LAN 1. If the 
director 6 is not provided with the sixth type attack 
■detection data again before the predetermined time (six 
hours) elapses, blocking of the entry into the LAN 1 by the 

25 IP packets having the source IP address and the destination 
IP address of the sixth type attack detection data is 
released. As explained above, according to the system of 
the present embodiment, only introducing the sensor 5 and 
the director 6 enables real-time detection of various 

30 attacks on the LAN 1 by crackers and taking appropriate 
countermeasure promptly and automatically to protect the 
LAN 1 from the detected attack, thereby extensively 
reducing workload for a network administrator such as 
establishing the LAN 1 considering an attack by a cracker 
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or frequently referring a log file, leading to reduction of 
the management cost for the LAW 1. Furthermore, various 
attacks by the crackers can be detected in real time, so 
that in the state that no attack is detected, necessity for 
5 restricting communication between the LAN 1 and the 

external can be reduced, whereby the degree of freedom for 
communication by the LAN 1 in the normal state can be 
enhanced and the information resource on the internet 3 is 
effectively utilized. In the embodiment explained above, 

10 by providing the firewall 2 in the entrance for the LAN 1 
and controlling the firewall 2 when detecting an attack by 
a cracker, the detected attack is automatically eliminated. 
Alternatively, when detecting the attack by the cracker, 
the processing can be simply performed such that the attack 

15 is notified to the network administrator, an expert 

security administrator, and the like. In this case, for 
example, the director 6 or the sensor 5 is connected to the 
host for the network administrator, the expert security 
administrator, or the like via a public line or an 

20 exclusive line. If detecting an attack, the information 
such as the first to sixth attack detection data are sent 
to the host for the network administrator, the expert 
security administrator, and the like from the director 6 or 
the sensor 5. If configured in this manner, the specific 

25 countermeasure for protecting the LAN 1 from the detected 
attack is taken directly by the network administrator or 
the like. In this case also, the network administrator or 
the like can take the countermeasure when notified. 
Moreover, the type of the attack is detected, so that the 

30 countermeasure against the attack can be taken relatively 
easily. 

[Brief description of the drawings] 

[Fig. 1] A diagram of a system configuration of a cracker 
16 



monitoring system according to an embodiment of the present 
invention. 



[Description of the numerals] 

5 1 LAN (network) 

2 Firewall (packet filter) 

3 Internet 

4 Hub 

5 Sensor (attack detecting unit) 
10 6 Director (processing unit) 

7 Ethernet card 
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[ffft^JK] LANl ©A 0n I P'^y 
htiKMMI1 - «*>'f-5trIllt«. -fey* 5 ft, fljttt 

elegit 6 3. u**6tt4;fcMifcflH8W£ 
I p/tyy has LAN i }iifAi-^©&|!lJi:t 

So 




lSH#3g 1] IP (Internet Protoco 

4, ^?f!i^^^i-|B^^^L/ti^, *flfC 
£ Cfegf «S3rfT '5 aa^S 4 fcttxfc £ 4 

i bm® s ] mmmtkmmt. i p^ y h ©g^ 

«Ff&lCfl&S £*VC^5£4*fc84 1" 511*11 2 

Afcifc&LT&fK UiffLfcl P/^y h*»6«HE7A' 
1 ~ 3 0>Vvfh,*» 1 *fCE*<D* 7 y #-£ 

fe»tf> I P^y r- 4 fcigftS i P7K 

fttrAftU *<D#»Lfc I P'<iry hfrt>mi&8m 

(D-mm&tz z t z m t-rm^m 4 ? 

-t©#HWA»6>aH»$#i,-C*fc1l»«) I P^y-y hT-fco 

lo^ I P7 KV*Xtt?5ite5j?- h*Hf#ZW;:£fc 
5 !>©#Bf«l»|I(|rt fcj^ft6Lh»#*ftfc 4 * 1 
<9«3S©ilgE?5:*j&ifc$*i,fc - i Z&tot 5 z 4 

■e©^Sa^SfI*ft-Ct&TCP (Transmis 
sion Control Protocol) £g<5 
<aft«SYNiI P/-^y r-T*£>oT, ^ft<4t-t 
<d%% I P7 Ku^*szv^PI— c&4t>©^0f^H 

4-y h tm-<nmi%7i i pz Ku-^»u%ft iP7hv 
xmt%kmmmTcpm^< ackm i 

mm s ] ^i5Jfe»*B¥^ii, awe* ^7-^ 

b-e^aitSffiSnfcTCP (Tr a n sm i s s i ! 
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on Control Protocol) Klo'<I 
SStWSYN/ACKffil P^y K-fcot, >>fc< 4 
fc^OilffTE I P7 Ku^iSW^B^IS-tfoS 

CP{rgo'< ACKffl I P/^y FTfcot, Slfi2#S 
YN/ACKJE I P/<*y r-c?»7e I P7 h'^XRXf 
Jfejfe I P 7 K ^ fc WHtH-^jU* I P 7 K 
MItc I P7 KU-x^Wt-5t)»^fuISfilf£R#Mrt^ 

10 fc r 4 mtBtZ Z 4 4 l ~ 5 

i to-hi<?> 7 y a -^m-> % t K 
m*il9] sueasftte^gfi, Bug*? hy-^t 

^5 r 4 Srtfe» 1"5 w 4 4 -f5iS*3S 1 - 5 « ^ 
■fn*> 1 JSKSBfc©* 7 yi-iS^fA, 

K-t«)W»*»fefiflr*ilT*fc**0 I P/^T-y h7:'S> 
20 oT, *©»»5EI PTKU*#J&iteI P7Kv*&lfll 

-<^7 k 4 ^x^%mm%nm^\t?m%m 

^5^4 Sr»*n1-S r 4 *4tfll 4 1 5 W*9 1-5^ 

^5^4^&t5C4^#M4t5tS*«l~5<0^ 
f 1 «(CG4t O ? 7 y A K 

^-y^r-^^t5r^^?iJ^^t5 I P^y ^ 
i 4 ^t^ts r 4 »«ft ti-zmm 1 ~ 5 ©V^-«l 

a» i JSiitet©^ 7 y *-e«i^^'f a 0 
40 m£titznzmm&jj&mt6m.T*h6zt 

%:W§Lh-tzm-m 1-12 ov^f fofr i JltciSt©^ 

&mmftWzmm%&&mfe<Dm7i i pt k 

^RXf/XtiB9a I P7 K^«r#t5 I P^y r- 
©bSIE^ y h P-^"-©5lA»l:t5^a-Cfe5 r 4 
Sr#fS 41-5s8*1 1-12 ©E«<0^ 7 y A 

1 5 ] Mmmmm ? tm.^ mmm^ 
so %\mmwM i <om<o%&*m tr^mm 



3 

w, mm^mmmm^ ttzmmm 1 ©«£©*» 

(C^SSulB^fTE I P7 Kw* ilPI-eoSHfjG IP7K 
t'*** 1 ** I P^y hjWOTB*? h!7-?tdlA-f- 

Pel *E*SYNfflI P/<*yffcH-©|&jfeIP7K 
I P'^y h#mB*yh7-fi£.m*.t 

*»¥fto*li&f5ffr 2 ©3£©$g£fr$*o LT^ 

»aB#SYNfflI P^y htlSI— ©j^H5£I P7 
Kux^fS I P^y h«B*y h?-?£i!A 

ft?c I PT Ku^fcfrtft I P'^y h#tMB*y h P 
YNJ I P/^y htp-©2fo$fcl P7 Ki^SrW-fS 

i p/^y yv-timA-tzmuikt 

to^sgfraaSS 2 ©ffl&©$$fr$*R tt^ 5>fiM 
ML Hy|E#S YN/ ACKffl I fstyy h©afiflT5c I P 
T Ku*£ro-(0ft*I P7 Ki^tfrtS I P><*y 

R&#8 2 0 3 ftiE&SWj^ 5 Mi, B&l55fc*& 

IS, fflfB&S YN/ACKi I p/<^y h©3£5fcl P7 
FlsXtm-omiiTt l P7 KU*fcWf5 I P'tyy 

[!tJfc^2 1] wllE#SYN/ACKfflI P^-Jry I-© 
8ifel P7K^*£lfl-®affi5cI P7K^***+<5 4C 
I P^y h3W^y h?-^!£itA-f?>WlJH- 

b0H£ffi5cI P7 KW*£P-<0?e&I P7 K»"*fc# 
1"£ I P^Ty h/^I2*y M7^l«f A1"5©£PI 
Jh1-5«ESf*l»M«t 9 t»* < I£5t£^TV^ r t 
»i:1-5ll*39(2 0lBH)tO?^5y*-ftflli/^A. 

xbM~<D$a& I P7 KV**#-f 5 I P^y htm, 50 
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E* v M7 l-ii At 5 © £ PI Jfc-f 5 fe 5 d £ 
f SfflffcJl 9 sens©? 7 y f a 0 

n. ateawsiifc i p/-^? H^-sasss ip7k 

^^ipl-©^f3c I P7 K^**1-5 I P^^y 1- 

a* awb* y h ^ - 9 \ cm a-t $ © * ait 1 5 * ^ & 
r t mm ti-$ mm. 2 2 pr&© -bib fx 

imm.2 4] Kfsa^ti^jxfc 1 p/^y b^s^s 

tcI P7 KU*£|i5]-©&lf7cI P7 KU^SrWtS I 

p^y hfmm->yb7-?iz.mAt%<D%m±tz> 
mmmma, mmm^hfc 1 p/^y hmm 

9tl PTh'isxtm-eMftl P7 Kw^Sr^-fS I p 

*try hmm^y hu~-9KmAt?><om±t6m 

mm 2 .3 fat© if 7 y * - Sffl *s x 7 1 A 0 
*P¥ftA«lWia*40ll«©**Srtft*PLTa>fci3f*ll* 

ra, K^4©ag©s»i-«siiS5 1 p/^-y h trsj- 

©3HS5cl P7 h'l'XB.XMft I PT Kwx«r#i"6 I 
PA/ry h^'fjE^y h!7-^K:itA-t5©«rPI±t« 

*P¥a« s BSESS 5 ©SS©$^^^ LTA^SrSii* 
ID, 10E»5©ajg©a*(^3BJ|BI P/<^y htB- 
©^Ite I P7 KW*,RU9&ft I P7 K^fr^Tt 5 I 
P^y WW-; h!7-^lCiiAtS©^Pllh-rS 
^aT'*, § Z 4 «mt t "f 1 l E«© ^ 7 y # 

<Dmm I P7 Ku*&U9&ifc I PT K^%#-t*5 1 
P'tyy h?mm*-y Nt7-^icilAt5©^PIlht5 

*Bn?*>5r i *®mt-rm$v% 1 2e«i©^ 9 y* 
imm 2 8 1 tie* ? hv->? ©a 9 p {-tt, y 

h!7-^i-lA^Pflit1-5 I P^y hWR^aS^ 

Witt**? h7j**mttbti. mijimmtt, 

5rt*<*ftti-ail««l 4-2 7©^-Tiv*»iSC 

[0001] 

[0 0 0 2] ;7-^HU5^yH7-^ 
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10 o o 3] m, mftz<omto\z.mmtiit*y 

Yv-t (lan) » % buy # h\m 

49 Gift) aWv^-^yh^LTfrfah/t^S. 

£©jHSt?»> gfpos iptw*9*yncisit6 

*y hP-^tffcS^-fS^n hn^i LT I P (In 
ternet Protocol) tff$\,^h, ilffr 

±IB#y h!7~*l©i:fir©f>7>*#- 
57"nhA (IP©J:^©/i3f3^) t LT, TC 
P (Transmission Control Pr 
otocol) fcMWDP (User Datag 
ram Protocol) ^^§©#Siffe3 0 
h7-7f±, -ivZ—^y Y\L<r)^—/^ 

fen* yw-trftzt mx\ mmmm.<o^ *> 

4 B&ffia;* r-Tl?5;:4/55T§ 5tV^*|j&«:W1-5 
RS5, -f^-^y h^**T^^littS:tt-5r 
t fe , J5f IB ^ 9 y * - *> ©?feS 5 $ 
*>£ft5::4 4ft3 0 ;:©£&, *©£$*#Sd>k# 
if H7-^Sr««1-5^i*sS**nS, C©£5ft* 
y }*7— ^©ffiH^ff 51t$><Di/7<TJ*b LTfi, tit 
«»Ufc5if5*y h7~7©A9P}£, 77-f 

fc^ta-*) S^fc-^rA^kttTV^ - 
©77-Yf^~;Ki, fo^C&^y r-7-^f»;f 
ft 4*^ 7 h 7-7F f ^©lA£!Iir.-f'<§ tot LT 
3£#>fc®if©fflffr-~7 (I ?'<*ry Y) ft*y h7- 
7ft|ciiA-f §©£llitL, ^H&#©ff*T&;h,fcfflif 
^-^©^Srii^-tirS^y h 7^/1/;* 4 L-Tfliflt : 
5fc©T&5 c r©*#£\ *y h7~7FW>ilA£PI 

jt-j-saflrf-^owjitt, i p/^y mc^s 

h##ft if ic i o rm^ffi 4 £*vc <^ s. ^ © i 5 ft 

P7K^Sr*t5*^f. (a , fc5V>}i 

■t * fc&ifc Ufc •? x ^ y h 7 - 7 ©M|S©#;t© I P 7 
Kl^fiM© I P7 ¥l/*frb<D%y J-7-7-^©77 

- * -©« A Jti" 5 il^r - * ©S£ 7 7 -< * 7 

OSSofefifeteSMEjgttS r 4 ^pItlT$>5 0 L^Lft 

fcfr5fc*t;:Wt, affi&1H»*? h7-*ffi#, 777 

#}r. s ib* ©.* yw-ir owmmmBm\z-o^x h 

»»UTV^5J&KAi*5. -oft 19, 7 7 -f + 



fflU 1>L<tt*$|Jfcli#U *fc» *y h7-7ft© 
Jf<oJ: 54«f«Sr«K-f ^<t*\ LT 
5 ft t ©aMSJ&Sftfi *\ t^5zkb Xim& 

m^&vxmuiimt£^b-r, r ©£©£&, 4 

y N7~^M^tDi§i^^affi#^||t5„ LT, 
#W£iLJ; 5 41"5*y l^7~^©»^Ktf)±t 

5ftl6£Ktt, »JM4^x4*t>, 77^7*- 
10 /HOlSOftBMfctfTjitttffllBlT**. *y 

. t>©a»^B8fcgftfcj;5/j:a^-, &M^±irfcft# 
»©S»*sWilLfci54»*ictt, #<©*£\ 77 
y ■f-7*^t'©j»Srt**ffillLil[t^S^fc D , 7 
7 -t 7 * Aw|WWt|4»|t*«# 

wmmmm, m&mt x 5 #*ft^-^^ = ^ h 

K1-St©t4oT^fc. *fc, ±|E© s fc5ft^*©7 

©Sffi (1, ^<om\t # 2 7 y U -*» & ©«^ec ± § to 
9,*yM7^i ^ft t ©Iff© g agatjfiSJSfiLhti: 

h 7 - 7 -eft, >f y b±®mMm%®mm 

C5i©Tfecfc 0 

0 1 0 0 0 4 J ;WWtta»A»3#*ic*^T4SJT.fc i© 

TfcfJ, ^y N7-7|r^t5^7 7*-75^©Ifc^S- 

1 m-h km t - 1 ft < , i^wta 
«t'^ 7 7 *-i»e>©*wc*jf 5* 7 h 7- 7 ©* 

ZnmMtiH-tZttm^ IP (Internet P 

1 r o t o c o 1) £&'3<m&ff5*y Y9~fi<DA 
<0 PKM^TIRAO PfcaifrtS I P^>7 Y%m$.WL 
mU m% Lfc I Ps<# y Y ^ i (c ± 0 R^c 
7 h7-^K^6^7s/^"^f>©»^te-r5J!r 

m&m 4 , ^^t^^^fflE^^^^ tfc 4 
t , -tnicis cfc0f^©*ass:fT 5 4aa-f-Jt 4 ^ixfc 
r4^#m4i-5t©Tfe5 0 1-ft^t, *mmmm 

T, SulE^y h7-7©A ( ?PT^^^lJi1-S I P^ 



^yvmwm^^m^^^xmmML. %m 

©*y h7-^©«aS:|g5CidST?#5. r:©*£\ 

JM. 3 r i: 3 . i © J; ? v-* x A id i 

iitt\ * 7 y * - IC <fc 5 y 7/t-y" AT^Sit ¥ 

8£*#tf J; i ©fc ft, tffflt^ft, 

r6WHti*fi»*ii»i*K, *y M7 

5±5<t»**sei**^S, £fc, #§Wtffl$frft^ 

pf^tt^rf'iy l xmmr s mmm < , * ©iff © g 
«au aflr*jew£ii±(c«iiRLfc9, »a^m 

7?A <b ©ftSfcftt 3* y h 7 ©fflfclD 5 
^£tfs?ts 0 ^»**«WR:jsv»Ttt, i!tifB$Sft& 
^4&tt, HUB* ?M7-^?p £T (?) I 

*-^M A C (MediaAccess Contra 
l ) 7 K I Elff $©T~ * ICS 

ft 1 6 riM^fe*, £ 7 y #-ft t'KX 9 -to^fc 

u:»tTs #«®©#S£fcftt5fc*©7/i':* y XA 
£flM# l/CtetK ®|#LfeI P^y h^6»S«ETyu^ 

9 5 y J: S£&©fflS©ft*&8Uait 5 r t # »r 

#3. *fc, iu?e7^^yXA^jitMfr-f5riT\ 

LfcHlc© I P f<T y ^ 4r'J>fc < £ *>»c 50 
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*&tf/Xttja*I P7Kf^KJ:!3^LTftJ#1-5 

£©#8£:flli9i1-$. tftbfe, »©SiI©JS«1& 
SrfSfcfekitt, I P^r y h©Sffi5c I P7 K^*^ 
SB* I dfi-fcHtl P^y hOIP'sy^ 

x, flf)©*Wrtu:*lltfc I P^y hfrSflTjc I P7 

K^AOf/XttJli* I P7 KW*K<fc 

^7yA-lcJ;«SBi©®g©aSiL-C, 
N^drtV (Port Sean) if^^SIS©^ 

**sfcs a -©5K» %yvu~>;\z.nmm%wm% 

HScit^v^ r©a*T»tt, ?7^-H, @#© 

L-T, /^y hrt©5a*I P7 Kl'* J $»S*#- h#» 
*raft*6XU4#fe I P^y h»!3)gL^{ftS 9 
:o t LT, Jttif>© I PX^r HcJrt-5jaaft±B*J« 
h bTWJtS r i T\ ?feSSsrftO^ y h 9~?\£ 

i©iHlfc|i|ffl$tlT^5 I P7 KWX^-Jf- 

mmz>< a*s, cc-e» Has*- tcp^ 

7<Di—}fXSm (mtiit e I lie t, ftp, sm 
t p, t f t p*|) ^Kt!)©T\ I P/^y h^©T 
CP^y^fe5^f±UDP^y^Krt-4$*x5r-^1? 
hb a Z<DM<o%.mT&, ±e©J:5ftI P^y h© 

) ant**, iSff, ^fflKj^y-^y^M^aLTSifflv^rfif 

j^jf- h#*a(Ev^Htt 9 , Jio^fx I P7 
^R— t?*>5i 5ft I P^y h#it«(iWgl*Mrtfc0 

«© I P/^y M?JjoT, '>ft< t t)^©iiffi?c I 

P7 w*ft^\zm~x&^fo$t i P7 K^xrtsa 

5fesif - h#**JSv^Hft 5 f,©*s3f^Mrtt;:flifS»: 

^7y*-KiJ:§»2©aS©5fc*tLT, -»K 
syn FLooDtfrSjtssgaftflsas&a. r© 

«»B, TCP«)*tt*WILT*y h»7-^rt©»S 
tfti>t», TCP 

Ffl -cwiftft ^ v- a y©raisfea*iff fcns. r © 
a^^^MRtelfli, -^©^^ h*>e>&^©* 
^ Mr&LTSYNflll P^y MrSHttS. 
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±&-Ji<Dftx h<o i P7 Ku^ifi^o*^ bn i p 
7K^i t^h^mm IP7K^, JlSjfe I P 7 
Kv*4 Lfcl P/"vJry St\ ^^^y M*I©TCP 
^yy*©SYNtfy hMACKt 1 ^ hOpfeOSYN 
tfyf>©#& r l j 4Lfct>©T*$. *fC, = 
ViW«3ST*ft, r^SYNffll Pz-^y h&gtf 
htt, p|E-#©** hEfcfLTSYN/ 
ACKffllP/^y htiSflltft. wwt, II S Y N/ 
ACKffll P/^y #L<«U ±15**©** h 
© I P7 4 Y<D I P7 Ku-^tSr-th. K 
mi£ff 7C I P7 36ft I P 7 K 4 Lfc I P 

y h&lFACKtfy hSr*K flj 4 Lfct>«n?*>5. 

="*^i/3y|HE«m-ei±, i©SYN/Ac 
Kffl I p/NVry HSrarj-fciKfBB-^©*^ Mi, lieii 

©ACKfflip^y hmmmo*xb&%ifz>- 
4 -c, ippm h nonaMft a* * > a wmwfitt $ 

ft*\ iieACKl I P/<^y Mi v ftUHt, 

mk s YNffl i p y h 4 m-vmm ip/k^ 20 

Xt)9&ft I P7 Ki"*$r#*5 I P/*^y *<D>< 
•iry FrtOTCP^CSYNej* hSVACKfy 
h©5*>tOACKfy r 1 j 4Lfc%©Tfe 

3. I5ESYN FLOODS iI©J:5ftTCP«D# 

ft s y h<7-y<7)i|#3£©** M^&l/C, 

Jfc«tt&vM$iB]*ifc£ijfc0SYNJB 1 p^y 
■fS. *UT, ^tl&tO&SYNJfH P/<7"y hKStfl, 
Tj;fE#)£** M^SYN/ACKffll P^y 
&tt ^tltt, ACKffl I P'tyy hZZCO&feft 30 

fa#£**Mi, *«»cjaiflisjtT#&sYNfflip^ 

^y HE»1N5 SYN/ACKffl I P/<*y M&jgflrt 

grJ©$M (-ftfc2^) ft, ^©»(;ack 

b ft, Sfffc ft s Y Nffl/^ y h (cjs etc =, % 9 * y 3 y« 
IS^aSrJi|M#[c:|g^t'<<-e©frfcftSYNffi/N7 : >> h 

©tfgSr®ft^M©^'y77®«{C^br^< 0 4 40 
d-5/)\ ^y7 7«©*t£Kftl#^£>^ R/<y 

*ms, Tcpcoaft^a^Tcpi^f—fx^a^ 

I>>1-5d44ft5 0 CtOScOJfc^ (SYN FLOO 

dJ -ett, mi^©j;9^, )kmms^m^ mm 

*<©SYNI I P/<y-y h y h!7-y- 

h WJfc© I P7 K^trflTS** 
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RftSl/^Wrtt!:, #<©SYN/ACKfflI P/^y 

S&5W4SYN/ACKJB I PA^y M^xfJS LT^ 

^-y h#*©tf£**fK:»B&h,T£*v\ 
*38W-ei^ SftK«*tt*p*|j;f±. sfffE^y M7-y-fc 

* o^ss* 1 e>Sffi*nrffcTcpK:s<j<ffi»©sY 
I P^y N-efcoT, ^ft< bh^<n%% I P7 

10 ±l!#^n> ^©#SYNffiI P/^y fiHF- 

©JMIItcI P7 KU^XtiqSftl P7 KU-^Sr^T-f-54 
*{CiiIETCPfcS'5< ACKffl I P/^y h^fiilffifif 
£Bfr H W^^#^tlft/5 i ofc4^, ^2©ffi^£OButB5fe 

CPtS<5<|ISfe©SYN/ACKfflI P/<^y hT'fc 
oT, < 4 I P7 K^#*iv?ftjL 

*iv 5.0, mriBTcpfcaH<AcioBi p^yh-p 

20 feoT, Wl&S-SYN/ACKffllP^y h©jSflr5E 
i P7 KP-^&U^Sjfcl P7 Ki^x4^ti-€ti[WI-»55 
ft I PTKU^AWSflrsi P7K^*Wt5t©3JS 

MisBif^Krt k*# $^ft*»ofc 4 1 , % 2 <omm<D 
mwmm^titz^tmm^ ^hicxy^ sy 

N FLOOD4V^^m2©l^©^^S^f^ 
*ntS^4^T^5 0 ft(C 4 -^9y*|Cj:a*3(!!>a« 
©«S4'LTTs -1R«CT eardrop 4»$n5ffl»' 
<D?fc»#*6. IP/^yh©^(| (MR 

iP77^yh) (c«««s«>fftt&m tr^ y h 

TlP^y h^|5^$*lS^X7-^tS^4t 
fet), rcOi^ft^-g-^fi, I h© 

ffl^ff ^^5= ~<Dtzt>. I P/^y h©5aft I P7F 

^©J;^ftr4 
/j^, r PKI^<Ha-?fi, p^y 
■0 g(t»5*^. I- (55ft I P7 K^<?*^ h) ft, fttf 
Klofc I P/^y bft%m$tl1t%<DT'hZ>k%, 
©*T©»«tt»OI P/^y h*g«t5*-C, 
»©IP/^i/ bSrtatfiMf L, ^T©^||gK^© 
I P/^y hSrSMrLT*>fe, *ixf>^SatT7c© I 
P^y ^r-y-£^7ct5#yg£ff5 e «fET ea 
rdropft, P^y ho^Btfisste 

S©#tt^Ufflt5Wr-fc5, roas-eii, y?y 

P/<^ry f&^^^^y h 7"^ ©#^'0*^. ME 

J tfc±"C\ a 9 ©^Hg(i^« I P/<7 y b ^^©# 



li 

BE**** hll, «tJt, ^VLTU*5^itft 
5c i (Teardrop) Tfi, ^©*P 

y h 7 - $ \z%mm*t> mttavxt $ 
^^Bf^sttefitiJRft^nfc 1 $ 3 ©fiiioiffia^ 

ft&'fcSiiT^Siitrtlfc-fa. Tea 
r d r o p iV^^5^3©flBS©ftS«r«|^t«feftl-f 

5wtds-e#5o fcfc, 9 7 a nam® 

S»i LT, -»La n d i»S*l5»S«!)*»*S*, 
-5. SflTjE I P7 KkxfttfJB* IP7K 

y hi, WMt^^yh^^off©^ Hcgff 
■fZ>%^Th?) 0 Z.(D£ 54 I p^-jry YZmt&htz. 

I P7 K^#M— T?fc5 i v^'v HJ«, *y 
?rt©#5£©** H^l£*t, L*»*>, -jRfcli, * 
©i 54 I P^y-y h^ttfe^v^lrtic, ± 

S*l-C#fcffiife©l PA^y HTfcoT, ^©igftSI 

3„ riifcj;^, Landito5f4©il©^ 
H 5 ©»!©#§* £ LT, *y h!7-^rtfl?#£©*^ 

£•©** f<7?^-f^^oT s telne t#KJ; U 40 

h$>lfcfM:S**3. ^LT, 

5 ± 9 4 a?*?- Krfapjfg 

it© I P/^y M\ «^©*;/ }< 7-^fl?#t* 
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i p^y h-e&oT, Uia#£(o*^ htfls«a— jf 
s t> nm&mft m%mLtm i & * * , » 5 © 

«k 9 , ±12© J; 5 fc/<* 7- K*&ftt£3:**ttX(c 
lft»+5c:i:)S*T?*a. ftfc, ^7y*-fCA«Jff6© 

^ y - * t% r < m bhtc%A\ m 

(MSB, ^-ha-7>K) fttTt>**ft» 
r©^^i s hjJS«Fttl,TV^5 

OS (Operation System) (D±$-=l y 

^tr^-rriprj ti^^vyK^ifitK^t^ 
r-^ (1 2 S^^wx-y-) «*-AKiSfe*iT#. 

if^CD f 1 p r j a^5^y Kt-frtrafSf-^ 
Xsf-^m^M-fh I P/^y MM«y M7-^©#j£ 
Mn-?-j£li, /< y 7 7 7Q^t -t * * y 

x-^S, mfai(0i 5 fry 7y#— fc± S5fe»*tt*Pt5 

y Kl7-yf ®%*hz^twmmm%%i>K & 

45o 

[ooo6] fflts^a^^5^ gfli ^ 

I P7 ttUxRtfi/X.tm9a 1 P7 K^*^1-5 I P 

^y h^ffjfe^y h^-^^oiiAS'Pfiiti- %%mv 
Jiff, fcs^tt, ^^i^^fc*^ h^©a{f^g 
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i Lx^bm& 
mm, wmmm®m& Litmm 1 ©«£©# 
mm&mmmt-jt ipzkw tm-^mm i pt 

LTV 5 /ft* I P7 Ku-*T'&5©T\ r©IP 
T K^*rj8Ml5cI P7RU*£LT*y h7-?»ri£ 

mm, z-yhy-timLrmtz* zn^x*), 

&flbci Prhvw^ N/S>t>*y f-7-y^©lff 
£fr 5 r t < * i} , * y h 7-* EH-j-5* K 

(4, *£Jt, tfy-M-lX *y !-7-y-^©iIff£fr 
?Cl£a*T*£fc<fc<&, tfc, SYN FLOODS 

»<oj; 5tesvNffi i p^-7 him^xmLtzm 2 
itmtffi 2 Mffioymmto Lxfrbm&m, ansa 

§SYNiI P/<y"y htHJ-©?6jteI P7KW*** 
1"5 I P/^y M*flFSB*y b7*-y-fciiA1-5©$:E 
it1-5®STS>5 e tfcfct,, IM&frSYN/BlP^ 
y b©?s:5fci P7 Kl^tfSSYN FLOOD©**© 

©**N©I P7K^frjaftiP7K^t1-5I P 
^yh*, a»**»*BSii-T*»bBf«*IHI, #yK7 
-^fc3#U"C«Pf«. *fc, SYN FLOOD©* 3t 
HfrSYN/ACKJHl P'-^y bfcg*3^T&*PLfc 

^IMElg 2 ©ffi3g©#SIMi&Sn LT^ bFJf/W^ ft 
fg& S Y N/A C Kffi I PA^ y h ©ilff tc I P 7 K k 
*£HJ-©?*l&I P7 Kf^SrWfS I P/^yHl 

4fct>, MS3#SYN/ACK1I P/^y hft, SY 
N FLOOD©*^5rff*3 5i faS5*?y*-© 

Nffi/^y htiWUT, *y M7-^rt©*X h^T" 40 

y#-IBiyJ;tt5^y *5©T? 4 S5IE#S YN 
/ACKI I PsVry h©iHl7c I P/^y h©i£if5c 

IP7KW#, SYN FLOOD©**©*ffti:$ 
ttT^S/ft* V<DI P7 KWXT*fc5„ fct, •?-©•* 

y h7-*|*J©** h©I V7YV*l£$&%\ P7 
* £ LT, # y h 7-y- ICJ3HI £;h,fc I P/*^ y |- £gj 
*y h7-y-fc*fl,Tji»rf5. ±E©i?}^ SYN 
FLOOD©a*t*»*»5I P/^y f^y h 7- 
?K»A+a«>.*|fiJJ:t<5wfcT, i$ 
ftfc*y h7--y^©** Mcfi, MfctflBtt. SYN SO 
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ffllP^?hfoi p^y- y h #gfl| $ tiT ^ < it. 

3*LTtfcSYN/|! I P/^y HC*rtTibSftflf©l* 
*itt5 0 Sot, ±!2©j;?S£ I p^y h#3fJfe* 

M , Sit * h x r ^ < * 5 r. t -e, i^mmm fci 

SYN FL00D©^^JSC-C, «5l3fflgW^ 

io omit, mmmm^&mmm2<Dmm<n%w$: 

miLTfclbm&m. WStSYNMl P/^y !>£ 
R-OiSflTSI P7 K^SrWt5 I P/^y F^iffjfB 
^ y h7~^fci|A1-5©«:PlJJ:t'5^a^£f 0 *>5 
V fJE^^Stl^^SfjE^ 2 ©aiS©*«^«fl 

ixfrmmm, buib#syn/ack^] p^ y 

t« I P^y h**»B*y N7-^fcJtAt6©t» 
Jfc1-5&a«r'^tf» 1-*^^., SYN FLOOD"? 
li, ^?y*-#SYN'ffl I P/<4ry hSrSfllt5fc|R 
JO LT, i£jf 7C IP7K^ ^ofc D , iS^5£ IP7K 

i5#SYNffl IP/^yh^ft5£IP7K^, fe§ 
^tt**HC*tt&LfcSYN/ACKfflI P^y h©% 
*IPTK^f±, ^7^*-«>fftTK:J)5*^h© 
iPTKuxTJbSWISfbiJJlS^. lot, £0*54 
I P 7 K l"**SSflr5c IP7F^i LT^-f 5 I P ^ 
^y M4. *S^ttfti$*iTA^9fS(i#lffll4*y 
^ic^LT"W1-5 0 ^ntcJ:9 v ^7s-*-oStl: 
*f-f5 * y h 7-^ «MMI«r J: 5 lift 5 r t &X % 5 0 
3 i©»^*fet % 8fflE£SYNffiI Pa> 5 ' htH-© 
Sfir5cIP7K^ S>5^tt, fi}12#S YN/ACK 
ffl I P/^ v \<DU% IP7F^i ffi-~<Dmityz I P 
7 KW*ft**5 I P/^y h#WE*y H7-^ti6 
At«©*Hjht5aWE9fjgiWlitt, MI2SYNJSIP 
^<^y hkm-<D$&ftl P7 Ku^, fcS^tt, ME^S- 
SYN/ACKffil P/^y hO^ffl jc I P7 KU* £ 
P-©36ft I P7 K^^W1-5 I P/°^y hiSSME^t 
y h 7-y IdlAI- 5©t(fiibf SttEBRWIBJ: 9 1 
ft<!£:£1-5o t&to-fe, SYN FLOOD©*^*f 

#5Sa©fl#Bi7*+»-Cilt>5. rtllC^LT, ^7y* 

-©tartfesnristtoas^** h*»e>^y vv-v 

5„ wtitci»?s 4^y h!7-^rt»*^ h©^f|5£©a 

fflr©i**tTt6*rtt«fttoo 4 syn floo 

D {c^ 1 5 * y b 7 - y oftK t |r [i 5 i t # T- # 
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S. 4fc, Teardropi:V^tb«ineff3«>nH 

toLxfrbmmm, ffim$M2htci p/^y him 
5*a9r*>5 0 -f**>*>, fflrawMisjifc i p/<*y ». 

I P7 HV*#, Teardro p<0#§g© 
#*t SivClOS** h(0 I P7 K^T*fc£<Z>T% -t 
<0** h© I PT K^trjaft I P7 I P 

-*fc#LTl«rf $. iWCfc 5, Teardrop 

* hx-fj, &hx$fz$mm<» i p^ v h 

tiSflrtoiSrittWlcifijht*. lot, ±|BOJ:5 
5. $ bfc, *JS^-ett, Teardr opOftjfflffi 

ties 3 vwmwmm® ix^mmm, ftm® 

mZtitz I P/*4r j, hlc^SiifiTc I P7 K^ili- 
OS* 7C SrW-f 5 I P^^ y h #|MB* y 

*>, BU^LfcSYN PLOODO#^^fI)1i(c:, MIS 
#$i$ftfcl P/^y KCflJsaflTTBI P7K^tt, 
?yyj3-<n t §m.~T\ch%t^Y<Dl?TYi<'*X'hb 3( 
"TUttjJSifcv \, lot, r © J; 5 * 1 p 7 K ^ £i£ff 
xIPT KU^tLT#-f6r Mi, 
ft^T^TOt^ft^y N P-^aLtllt 

t^-ioaHS5c I P7 KU-^*#i"5 I P-^y 
HU IHE»ta*ftfcI P/^y MiflSSjSjfcl P7Kf 

9fc*<ta:^1-5. 1"**?*?, SYN FLOOD©! 
•p-i PlUt, Teaedrop <D^M^ff>t^ Y^.<DM 

im (±ia«)BS#fljeo5fjeii»M) a, ^yvv-^mm 

b , JtttftJt^ t (0 £ f 5 - i i # 

lot, ±ae©ir«-fflj©M^ras-, ft«« so 
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©3f£P*BSJJ;!>t>«<B:S1-5. £ixfcJ:«?, -fry hp 

hmnk<Dma<D&m%x%%m$k 

[0 0 0 7J LANDfc^fcft$]»K»4.<D«| 

p/^yhi:n-©as«Mi p7kwm*i P7 

10 K I p/^ y h jjSgfiS* iciiA 
1-6(?)^PlJi:t§®aT:'S)5 0 "t-ftt)*>s LANDtV 
5 SaH-ett, Oft 5£ I P7 K i&ft I P 7 K 4 
*SR|-T?S)5 I P^iy h^fg§^T< $01?, -eo 

I P^y t Jgj-^f^ j p T K^JftWa* I P 

bmmm, *v h9-?izn i,xmmirz 0 

z^ 7» KSr®#1-56»E*f 5 OUWl©a»4r«i*nt 5 

tft*B#®^siisB» 5 omm<r>%wm& tx^ t>m%% 

©sljfx I P7 K^XU** I P7 K^t^rfS I 
try YV>U%\ P7K^tt, a»*r*iS4ifc*^h 

©I P7K^ffc9, ifc, P/<^-y h©3HS7c 

IP7K^tt, ^9y*-©wiTte*»«*^hoi 
0 p/^ y h i H-©iSlflr 7c I P 7 K f xRVFfcft I P 7 

Ki'****-* i p/<*-y h*, a*astji*p*^Td»e> 

9, ^7?Ht «-*©^7-*-K**t« I P/<* 
y h7-^©»je©^ McJiifLTi, 

^b^y M7-^«rfiWr«rt *fc % 
a y r *-*fc«fli L-fcWlBJff 6 ©a«<o*«;Sr^ 

femm. ftjg6©ais©as6k:«5afSBi p^>y hi 

W-©iS6flr5c I P7 Fu^&tJtjaife IP7K t-^^Hrf 
5 I P^y h^UfflE^y hi7-^HiiA1-50^jl± 

^ hOI P7 K^T?fc(J, Sfc, BlP/^y N(73g 
ffS I P7 Ku^fi, ^7y*-©f3lTfc*>4*^ h 
WIP7K^-C*>5. BoT, ff6©WHo««(c^ 
5 I P/^y Vkm-<?>m%7bl P7K^M^I 
P7 K^Sr^tS I P^-yh^ W?^$tiT 
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^^uf^^^its i p^y-y Ft** f>7- 

y ©#£©** hir&ff lt*>. If I P/<^y htt, s 

§an 6 ©sag©?**** e>* y mmtz z. t # 

y h©*? M7-y~<©iiA£, 3W«>**llKJ6ftg 

\>y-tr\mK%®.5ttZ> I P/^y hMKK 
£Rft*ra&ft'<y-y h7^w&8ittT*i£, iufSteS 
#5&te, fufEM£|^y- jrh7^ ^ SrWfflit* r £ 
KiOffS. cfttcfcftff, MfW-y h7^/Uy-£L 

X7-J*%mm S©'>^tA Sr*»t 5 - £ A* 

RTlBiJttS. ftfc, 7 7^-Y^3t~ A* J: St I P^'y-y 

h ©&» • Hft9tttttt£S*!. -jftfc*-* j, 

y~y l^/W^LT/l— 20 
3. 

+5. fSKi^li^Mw^^^A^BT^So Hi 

©LAN 1 H^tf-f—fr*? h (E t h e r n e 

t) *flji*-cmBS'*ufct>©-t»*o, n*£»rsi 

Sr>f -f* y I- • *r--7A>\tigmtt><( v h • # 30 
-' K^, tcp/i P©^S&tT 5 fc«>©y 7 h 7* 
r 4 tcp/i p±-e«WB1-«#«7^y^-i ^yy 

7f?x7 telnet, ftp, smtp 

t» a^sstk rp^s^<iff&wfg£tT^^ 

ft&\ LAN Hi, fr*y h±XmmtShtcb<D£. 

-efcottsiV^ *HM^Oiy^TAT-t^ LAN 1 
©AUnfc, ^y-y h7 <t Mb LXQ7 74*9 

*IT13 9, LAN1 fi77--f-f y-tf-7l/2£#LT>fy 

ft, if©J:5«aiS©I P^y H^LANl^^iiA 
££±1" § ££1" 5 t - * & £ 7 7 4 A> 
(£IT, 7^y^£77^ii^) £WLT£9, I 

i©7-f^K^7 7-f^-e» LANl^igA/^it 
£*Lfcffifi© 1 y y h 3 

«SivC*fci:*(C. t©IP'^y hMilLTLA ] 
Nl^OSlAftlUhi-*, %LX, 7 4}V$WL%774 \ 
JVX\ LANl^fl>JSAi s *Jt5nTV^4^I P/<y-y 50 ; 
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77-ft!>*- ^2 1:4 M£©fWfc 

ft, ^74 as*g£sit % d«/^4lcft»|fe*p^|io«| 
yf-Sfctt, m&7 7 4 J r$*—/i'2%UffltZ®im^ 

WL<DWM%^tZ>7 s 4l/t'9S&1$i$.Z*lX\f^ a Zit 

5[£ft, TCP DUMPtV^fcJliy^ M7*T#* 
g£;ft-t&(K :®TCP DUMPKJtoT, ^7*4 
^®S^Tc?^ I ?xiry h%4—r*y h*-K7*^ 

oTV^S. *U"C» *>t5^ St#Lfc#I P/^y 

20 y h ^pt, frfc{C®||$ti,fc I P^y- y h K 
f-f^^KIEliiWW-*, tfc, -ir^5li 4 IP7F 
^^fef, ARP (Adres s Resolut 
ionProtocol)^ RARP (Revers 
e AdressResolution Protoc 

0 l ) (D^frv ZXtMt'Vry M«£*tT 

30 fc*077h7*7 («T, a**ft7^jlXA) ^ 
il|S*tl-CV^. jfct» t ^©SSftftl7^=fy XAtt, . 

f-5Kltft>**J:7(i:L,T%J;V\ ffflB^-f ^7^6|C 
ft, IUIB771' + «7*- ^2^M^f5y7 hy-^7 
(^T, 7^^M»7/u=^yXAiv> 7 ) AS^S§^ 
T^5o 7-f^W7/^PXAli, iry 

774 wf-fkmM %&*.&ZkV, 15137 7^ 
» J r7d-^2*|IJ#1-S>f>«?)Tifc^ ******* 

1 P /<y" y h itDtoja KxV ^ y tCEftfttt t 
B#ftir«1Pl^^^ I P/<y- y h Sff 7D IP7KU 

^ms^% i p 7 k <r>m\K$m. ( y - h ) Uc± 
x, B*u&v^*yfca0a//Tfittt"t-$. 049. 

3f^©li*l!graffij^W«Sfc© I P^y- y h © v *>s ^"O 
if fs^c I P 7 K^tlTt 5 fc c0^t>£ * b U>(£t5 <t 
:o l^-^JfeI.P7Kl'^S:Wt'b©frlht*i» 
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ict}b£kibK$htcl loW.il P/^yh 

w*Ma> e>Br£*M mm Lfciwaatt taw* § nfc t 

ftt&O&ia. SWW&UA'rfS XAfcfcoTfc© i 

y ho 5^ JiffS I P7 Ki^tfEi— C. aoftjgffi 
5EI PT Kl^^LANl©Ml5€>t>©T'&5&I PA 
h»K»U i P^y I P 

LAN ltltS I PT Ku*©fiiT4>$) Srttfflt 2 
* LT, ±§2<o# I P^^ v MFCMiffl Lfc^ifc I 

SfcjSI P7 K^© I p^y Mg) ftftft I 
¥T¥\/Wfe.h^-<r>Wt I PTKU'^SrWU JHo 
TCP^^fc3WiUDP^y^rt©5&ft#-h## 
i9*E^tJWt5, to, S^Lfcfiff^ftW (fluffs 

5. rcoit, ;o*!)yh»FJrtl (MM2 0 

*<b, r©W^»^Jafc I P^y hW^-ifTci 
PTKl^Offi^-^fc (#T, r^f>©7-'"^^H 
l a*Stfe*JT- * 5 ) MlSr ^ 1-7 * 6 
5 a i©i 54*Kiai2HS55 1 P7 Ki^B— <?, & 
oft&feS I P7 K^^LAN 1 |CJR$4V^T«) I 

5teUTtJ:v\ -*-**>t>, jfiffTcI P7KV*#P~ 4( 
T\ 1-?, KSHStcI P7Ku^«iLAN1^3©fc© 

-mm- h$%<omk®-m9c#- vm^h, 
uf A*iBrtn:»i»snfc i p^ v vmm* 7 y v 

1-5. *Lt\ tw^^vHR^ffjaRfc^UfclM-R: 
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^^fcMfBx^f ^ ^ 6 fi v tffi I l^af-^t 
^S^Sitff7cI P7 KU*£P-<0i£ff7£I PT Ft- 
^4r=fiT-f5 I P/<*-y h#L AN 1 tJiA-f SOfeSS 

wCDif, 7T<<f}*- ^2(i, ±fe^l7tIP7K 

$nt<5t, *©IP^yH:«f*U LAN 1 ^ 
^jfA?r|ia±1-5 e ctitcf?, #-h^*iry<0|fe» 

mrnrnm (sm) mmztx-omt. 9t^4t 
intern i mmm?- 9 1 1 

5EI P7K^H©I P/^5/ hOLANl^OdiA 
7C I P7 P/^y hf^ LAN1 icJiA 

mnf-^omityz I P7 K^*>e>© I P^y h© 
LAN 1 ^oitA©llJt«:»Brr5. fJJ6® J: 5 
h^*t>-«>S*otl*H«iaSrffofc*yt5a, ft: 
HI, ^2©aig©3t* (SYN FLOOD) (?^flM 

Xffl-?fc5IP^^W©H, LAN 1 (tit 

afcjfei prKu*0*-i p^y misic#u» ft 1 p 

fi»lwi»ttn-§» ttr, MttjLfc'g-sYN^i 
p/^-7 hmmmfrbm&m mm 2m) 1% 

fcJR#S*ifcSYNfflI HCSl5feI P7 

t5^#fCf±, 5fe}ctttbtfcSYNffl I P*?trh*2 

60 %<Dj}$> MHhmoSYNlI P 

/^y HcAfLT, t^#t|c#J6i-«ACKJB 1 PA 
N (IPL<fi^SYNffl I P^y hiW-OSfll 
Ttl P7 K^&fU fl.o % I^SYNffi I P/<4ryf' 

cot c P— v ?~$<Di/~^y^%wk<D*/-~>r>x$t 

*t*t6ACKfflI P^y K) T'*oT, lots 

YNffl i p^-/ h©»fl^a*fe±S2jS£i*W (2# 
ra) rtfdJtftSixfct©^ MCSoifel PTI'uxroi 

p^? h^^i-#si-5?5^^^> 

(c(±. %<du%.s m^<>yhm r i j ooM'>$ 

LT, «l*fl«Jfc, *TfS1-5ACKfflI P^y 
K («*tfl 8« K±-C4>5»^tti, SYN FL 
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?^©iiff7E i pt Ku^owr-^jttJWfe r P7 k 

<fc I P7 K^^~T\ lofgjfe I 

P7KW^LANltIt5itOI P^-Ty h$Hc 

^ltiiwt^^So <c*s, ^nmmmx'tx synjs 

I P'<*? f©ttftf£S-5V*TSYN FLOODS 
Sfltfc^S, &©£ Otmmtl?) SYN FLOODS' 
•ttDtfiiSKLTtiV^ tfcfc*>, SfsTcI P7 K 1( 
U^4»(Sa-TPJio, §JMt£ I P7 KU^LAN 1 \L 
P^y Ml {-Mb, $1 P/<y-y MGMi:£ 
*tl5SYN/ACKJS I P/^y hfrtQttftlttMl 
l=JB>ctttHt«. -tUT, MiLfc#SYN/ACKffi 
l h©$WW^3r^»!f B l («*f*28>H) 

ftfc»#*ixfcSYN/ACKfliI P^-Ty M\ Uli 

affs i ft ku*© ip/^y hsrt^aEtsA^ 

flPSi-5»#H:tt, ^icjtimtfcSYN/AC 
KJB I P/^y h*^»T-thfe©S YN/ACKffl I 
P/^y h©«fc4r*!» hti, &hK, %<D%<)> 20 
h L1t%h^ft<D S Y N/A C Kffl I P/^-Jr y h L 
t\ HSYN/ACKMI P/^y hOigfSS I P 7 K 
I P7 KU^©I P/^y 
j8SYN/ACKfflIP/^y H£#£t5ACK 
IIIP^? N (»L<ttRSYN/ACKJBl P/<* 
y hOSgftjcl P7Ki^£ll-©?g5feI P7Ku*£ 
#U ISYM/ACKll P/^y h©TCP 

CKJBlP'^yh) ffcoT, J.O$SYN/ACK 
ffl 1 P / y h P,±E0rS«#BI ( 2 fWfl) 30 

sh\z.m%zfotch<DtK m i p^y mnzfem- 

CKffl I P^y KOffft*:il'**?ofci:tfc±E«) 
*^M#IJl» («fi6§i) EUn?***^;: 

f±, SYN F L OOD©W/i^t^§ C t 

4 £$7*-*^ SYN FLOOD«>***ft*PLfc 

±IB S Y N/A C KM I P*ir y h ©iS 40 
{Itc I P7 KW^wex-^&tf&jte 1 P7 K W^©ft 
^-^■CfcS. £0#8\ SYN/ACKI I Pstfri/ 
hftmimi P7 K^©fLT-^im5fc I P7 Ku 
*<Dtt7**-*HU t^a, ifeJcBi^ UfcSSESe 2 Sf 5fc 
$$fcx~?£*ift3SYNfflI P^-Ty hsSjtl P7 
Kt-x©i::r-^ &ftSI P7K^©l7-?tjB 

2 ^Sr^Afciifcmria^ ^ 6 

tit® 2 a^Wfc&f - * fc££ ft 5 9ft 7c 
il^~©i§ff7C I P7 Fi'****-* I P/<7y h#L SO 
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AN 1 KiiAt&©£S£^Ir£fl#ll1 (09*tf 2# 
H) PIit1-5 J: o \z. r <Y ir v"*-^ 2 © 7 4 iv? 
R*77-f SMMC, 9^1^*6*4, 

-©jSJfel PT I PA£-y h^LANl 

}£itAt5©^ft^^fiff£B|ffi («SJttf2#rfl) put 
t5J;?fC7r-r^i?^"/v-2©7-c^^|g^7 7-C^ 
zmmz, r©i$\ 7r-< + »*-A'2tt, .hie 
^5kI P7 K^SrW-fS r P/^y K *>$^fi± 
) JESS5feIPTK^t#t5 I P^y 

y h3>6^iifi$ttT< fits ^cOIP^-7^11 
U LANl^tfWiAtrHJt+*. ^fticj:^), SYN 
FLOOD©5fc»^5>LANlA*ftg|Sii.5i:*K, 

- h ^ -V y©^Pt©l-^- 1 Rit^ 7^^611, 
»2S?fe!»«ifti7 f -^|ci3(t5SftSl P7 F^SrW 
1-5 I P/^y h©#»t«5±ffi0f£li*IW (2^|«) 

fc©I p/^y b©LANl-s©iiA^Pfilht5i5^ 

m&&T-9i£.m%%% 1 P7 K^**t« 1 p^ 

*yh©**|CO^Tt>Piah?*>$. t^oT, SYN 
FLOOD©?S[*iS|fc^T^5l8iJ, ^©»iC«5jg 
ft5EI P7h*^^?>©I P^y $>5V^©?fe 

\ P7b*U7.~.(Ol PAjry J,fJ, LAN 

SrWtS I P^7y hOSBfet, IB2SK»«|*pf*-? 
tfettsaifel P7 4:^1-5 I P^y h©» 
ir©p-ffttoV^Tt>> **veiifc^0tS±lE3fJfei$ 
Rl (2» 2©ffl) ^«1-SST-{c, g«fB^2®$ 
SWWfflf'-^tf^AfeJwSi^ofc^lctt, ^©B"2S 
^^r-^©ii{f5n I P7 KU-^Sr^-f 5 I P-'^ 
yh, fcSV^ *2ffl?([»tt*Pif f -^©SSftI P7K 
^tr#1"5 I P^y N©LAN 1 ^©ilA©Plit^ 
»T5„ BU»©J;5i£SYN FLOODWJfcW 
mmzft^tctyy- 5 g 3 ©Sfg©%« 

(Teardrop) ©tWSl*!Hl*:ff 5. d©A3;ST- 

», -fe^t5tt, P7 K^^n— e*>5 1 p^^° 

#1 P^7y h#kl»U HE I P^y hWfc^ttiS 
^MlSiifcl P^y h (^T, ht 

V^) Srli«ffi1-S 0 ^©®^, IPTfft, dM^^r 

y -to I P^y^«l»0>ttJfc«>7 7^ji* r 1 j i4 v 
ft5r-^zS5 r 0j tfJ^ftltt&oTtetJ, ^Hic 
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X*>, #ifg^-ry hiH.mtZtfiva, % L-T, * 

5 {*, am Lfc#^^ y h <Dwmm>t>mm 

«pW (WxifS^H) rtfcBt#$jv to, $M!^7 
y hi I P^j/^to I P«SU#^XV77^ y 

✓^y hi ^-©#^7* h) UK *jm**yhk 

0J:3fc#«y<^y f ft^ttffiL-fc^ 
$1^7 y hfc£ftT**i&0#i*^*-y h©«:&;!7 7 

OjB) ^-bT'feSiJl^ii, Teardrop 

*©itx"-£ Strife I P7K u;*©{Ex~7 i % {U 

ExV U7y 6£4;i3.' r<OJ:5**aa^55^I P7 
K ^x/jspj-r\ iofg^ IP7K lank; 

ItS^T©! P^Xy hlfifca LTMg&fTfrftS. - 
*J'1»-5*>fc8IIJIS©Jc5/j;»3aa»**P9 , -^t 
**WvfclffllBxVl<'7y 6f±, IJIESYN FLOO 20 

*fchmtjtl P7 KU^^IWJ-OSffTcI P7 
Sr£"f5 I P^xy hiSLANHciiAt-awSrSS** 
&gfSfl#B (2£H) ISifct5J:9£MlS77^t7;r 
^2©7^#fci£77*>HS:*#ife;t5. WH*(c, 
^3«3i^flf"^(r^^S%jtI PT K^ilH 
-Oja*I PTK^«rt"f<5l P-*xy h^LANl 
(cJlA+*o*gWE*»6gf*l*M (291)0) HUfc1-5J: ■ 
^7 7^-V7*-^2©7-/^7l£j&77^H£-§# 30 
$|X.S 0 SflfcitK Teardrop^lHLA 

N l #fttt£ii£&#(c:. - ©#S®*f* i SjfcT^fc 
I P7 Kl^©** h*^7^ii:-f KE^KflUca* 1~ 
±!E(?U5^Te a r d r o p ©$1* 

* (land) ©#ftaai&ff 5. ^©#yiTi:i\ -try 
tStt, 35*1 P7Kv*)&S|B!— P'<7y h# 
(Doh. LANlKjRtSififtl P7 K^©# I P'< 
xy III P/<xy h$©?5ftl P7KUXi 

n t*«)asflr 7c i p 7 k i p ^7 y y 40 

an- a. S6fc, *«>fftajLfcip^yhtnciaft 

I P7 KM©I M*©**^ Si P/^y 

htHCiHSTEl P7KU^%*U iLof&IP^xy 
^&#$H£>bf?f£l$ffi (fl*.tf2#IB) 

nfci p^x* htm-zmfrm^z, *lt. 

P^xy r-aqiFftrSiH-tett. jfefcttffl 
Lfc I p/<*y hfcitfeT^ftsb© I P/<xy h©$ I 
P^7K0«*4:*7^ht«. -©its ft* 7^ 

hwjr&t (mi* efe) ^-c-fcsa^tii, LA 
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tr-yi, i<o»»^jajSJifci p^y Y<om 
xl P7Ku-*©fiIx , -y£ (SIT, ztibn?—?* 

5o ^ eo J: 5 *4a3S*S55^ I P7 K^a^— £0 
Hi&ft I P7 h'UxtfLAN 1 fcJR-f 5£T© I PA^ 

OX 5*JB4«ftW|jai9 , -^*:4A feJifcltlBxV 
^y6tt, iU^i*&xW^£^i£ffxI P 

■ igffTcI P7Ki^il*l~©5sftI PTK^ftti-S 
I P^yy h^LAN 1 {clAtSW^ffid^gffSP* 

77<f + 7*-A'2tt, JLESHSSI P7Ku*&U«J& 
ft I P 7 K 1^ fcWf 5 I P vbifij y h 

LANl^«jiA*Pl±t5 0 Cl^J;i3, L AND© 
»HLAN!«$W, i©0^, 

^ tis rt s sfi 7c 1 p 7 k yx t m- 

Til P7F^WMI P7KU-^Sr*1-5 I P/^ 
y Kp^»Kff5±E3f£mFiai (5^ffi!) ^811-54 
t^PbK;, ft[c4^ ^ixfcB 4 SStSttiSiT*-^ k Vh- 

a, -eoij^feiiBSBeiWB (s^ijb) , mm® 

mm\iT~d/<omt% l P7 K UxSt>m IP7F> 
*fc#1-<&I P/^y h©LANl-©ilA^[iI±1-S 
J;5fc7r<T + 7*-^2Sri&J»t5 e lot, LAN 
DO«»«JHv>T^fi|R5, *«>**lc«5afll5E I P 
7 Ku*RUft*I P7 K^Sr^lrts I P/^y h 
tt, LANHCjgAt5^i(4T't^V\ ^LXs T U 

Stie^4 SaP^x-7^4x fc^ft^o fc»^ 
K f±. 4 S56:^Mft T- ^ ©iiffTc 
kn-<Dmt% I P7 K^S^ft I P7 KV'XWt" 
5 I P/^y h©LANl^©i!A©ffiJl:^/f-li1-5 0 
[0 0 0 9] *H»3KffiT?t±, SS4aS»tt*Br 
-9k LXs LAND«>?fc»K«5 I P^y h©Hf 
7t I P 7 K V* (Dm? - 9 V ff ^ 6 &4 k I X b 
fCUfctf, L A NDW^f t# $ I p/^y h©iSil7C 
I P7 KUXi, ftjtl P7 K^xiliHCfiETfcS© 
T\ ^cr>JH«ft5£I P7K^©ft'T-7©ftb9{^ « 
ft I P7 K^Oft^x-f l/?#eic5£Xt>t\,^k 
tehh6A,X°h&„ ffim<Dtyl^ LAND©ftS©» 
ft^S^tTofc-fe>f-5tt, ftt^ 5 ©ffl3g«>?6:» W 

It, ±"yf5it, Eft I P7 K^ai|^~T7&5 I P'< 
^yUlCH, LANltRtSJiiftI P7K^« 
#1 P^7Mlt*fU LANl©*^h©a-f^ 
T-^^^/^7" Kr-^^tf I P/<^y hSrttffl 
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1-5. zfobmmwci h ^—r 

JiSivfc I P**y N©1@$t£#7> Y-tZ>» ~©<b 
fiH:, ? 7 y # - V - fcfc©3! 5 © 

7G I PTK^Ollf-^AtWiiifel P7 YMtoW 

*fcv^5) KWW-fi'** 6 ^©JcSft&S 
#?6jfc I P7 KU-^^M-T", J.o^E?S* 3 P7 Rf* 
aSLANl{CJS1-5±TOI P/^y M$£&LTlfi& 

«***P7 lf -*©S£fg7G I P7 K^JUJ^jte I PT K 
l^i: WE^-~©3£lf7£I P7 Kl^JWJMsi P 
7 K^Sr^tSl P'<*s- F*SLANl(ciiAt5© 
^M^FJt&i^ ({Utfiifcfiij) l5Utt5J;5i-fiu 

::©i#, 7r-f-Tr!?*"^2«:, JbE&ftTcl 
P7 FWWI P7 h*k*fc*t5 I P^y 
y * ^ 3 a^S-ff £ ftr < 3 * © I P ^ y 
VttmU LANl^OJiASrHLittS. CftfCfc 

ANliWSSftS, ft*5 v *°-M3r+y©#£nil#© 

fcftSifcftTt I P7 K I P7 K^t*t 

-*tE-©ss5 mmmf- ? # * 5 ^ e> s& 

-t©l$j&J^i:E0fiB$!B (l« , 

5 mmm&T-? vm^ 1 p 7 k i^ftixsat 

I P7 I V'^ry h©LANl~-©itA 

5^Itc I P7 Kl"*£T#5jfe I P7 K^Sr^tS I 

ofca^-ictt, *©85«#s«j»7*-*©ai«?Ei p 

7 Ki^&tW&ft I P7 Kv***r*S I P/^y h I 
p/^y F^LANl^©iiA©pa±»^t5, Mi6 
LAND©#ig©|£&&a£ftofc-f?yf-5 

pt Kwxa*n--ea>5 1 p-*** m$©?*> v lan 

1 £JI1-6?£ft I P 7 K l^©& I P/<7 y h$l£*J' 
U w*.i£?})yfimm&vbz> r 1 p r j tv^a 

v y Ktr* U £0, 9 1 2 8 X&&1.X' 50 
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*>5I P^y hSrftsHtS. *©J;5fclP 
^-7* h#)ioa>ofc»£fcfi, LANl©**h©* 

/u- * -vi^s s^- 5 £ e ©fflB©5*# ft * ft tV5 
&£ftfc I V^rtf Y<r>mm% i P7 H>^©If-^ 

WWf-# £4* WcfjfBT^ ^ e me 

wmm$r~9<r>m% i P7 K^at^* i P7 

K^^i^nmH~©^ftSI P7 K^atJ^jfel 
P7 K^t#+5 I P^y F^LANl iCifeA1"5 

I91E7 7 -r -t ? ^ 2 © 7 ^ tstmy 7 4 &> 

I P7 K^AWI P7 K^t#1-6 I P/^5> MS 

yhtlBSU LANl-^©®A&Pl±1-5o rttKJ; 
D, LAN10*^h©^A^-*-/i/&?WM-*|S6 0 

(M©«**»feLANi**fiasna. 4*5, 

iS[SW«fii7*- ? K*i 5 SHt 7c IP7K &xm,% I 

P7 K^^ts 1 \<mmm.^hwm 
mm (e^B) *ssiai-s*tf©iat, fc£4*t>*tfc 

^ 6 g^H^^r'"^ t p]-©§? 5 ffiaSftftx-^ as 
■fey* 5 *»e>JMT4it?.ft*itf» *©B#i(W»fe±1B8f* 
Bfppl ( 6 B#r«1) , lM'6S5fc^*Pr™?©iifi7ci P 
7 K U-x&tfSSjfc I P7 Kt'^Sr^T'ta I P^^^ h© 
LANl^©itA^lt±1-5«t?^77^- 1 r^^— ^2 
*«»tfi. lot, ft6©«a©$*#0EVvCt*&R 
5 , ^©^(a^S^ff 7C I P7 K^2Ht)%5fe I P7 

-^©^fjc I P7 YXsyJklMfr I P7 KU-*££-t 
5IP/^7HP^yhOLANl ^©jiA©ffiJt 

ienx\ ^77*-iasLANi ^©#«©a*% y 

T^^ATfSl^, ftftlSnfcaS^fcLANl 

5 0 r©fcfe, *yF7-^tHNfli ?5?*-E 

J:5*»S:#*UTLANl*HM(Slxfc!i, 

7 7 -Y Lfc 5 1 5 ^^s^l® fcgSSt * W> 

Ttt, L AN l ©«fiff 31© xxh&ffl&TZ w t 

x°mx°% 5 ^ i **i,4t>tt»m 

LAN 1 t^t©®fI^^U^»St5^«^>ft 
<ft5„ C ©*:»{>, iit^ii, LANl©Sffi©gA« 
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ytMX'\t, LAN 0^77^^9*^3*18 
5 fr&4|tleMt**Jflia*t* LT* v V V-9 
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HLANi fr««tSfc«>oJME«j4JWtt. *y h 

7-*fs#*#K*ttWr shifts. 

[Bff0ft¥4tt9U 
o (D-yxT&Wffcm* 

l-LAN , 2-7 7 4 ^7*—* 
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